This Week in Cybercrime: ITU Internet Conference Falls Prey to a Cyberattack

The International Telecommunication Union's World Conference on International Telecommunications (WCIT) in Dubai kicked off this week. The gathering, whose focus is on the Internet, was organized by the ITU, the UN organization that has quietly set technical standards for global telecommunications for decades. But late on the conference’s third day, a cyberattack disabled the ITU website. The ITU told Computerworld that the outage "blocked civil society, media and other interested parties from following the proceedings, and prevented access to the wealth of online information on the ITU's WCIT home page and Newsroom.” And some delegates were unable to access documents posted online that were being considered at the meeting.

The ITU says it employed a "contingency measure [whereby] network traffic was redirected to a backup website hosted in another geographical region." That shift, the group said, resulted in "performance degradation" that lasted for about two hours.

It wasn’t long before the hacktivist group Anonymous, which has been critical of what it views as the ITU’s foray into Internet regulation, claimed responsibility for the online attack. Anonymous, which called the ITU “extremely non-transparent and un-democratic," is one of a number of groups up in arms over the ITU having approved a standard last month that could lead to inspection of encrypted Internet traffic.

Will Banks Take the Fall When Security Lapses Lead to Big Losses?

Wired reported on 30 November that People’s United Bank in Maine has agreed to reimburse Patco Construction Company, of Sanford, Maine, for US $345 000 that was siphoned from Patco’s account in 2009. People’s United agreed to give Patco the money only after a First Circuit Court of Appeals in Boston ruled that the bank’s handling of information that could have prevented or at least limited the losses did not meet the standards called for under the U.S. Uniform Commercial Code.

According to court documents, cyberthieves sent a phishing e-mail to multiple Patco addresses. A single click put the Zeus Trojan, which steals passwords, on an employee computer, allowing the hackers to find out the login credentials associated with the company’s commercial bank account. The bank’s automated system later flagged a series of fraudulent automated clearing house, or ACH, transfers ($100 000 a day) as suspicious. But despite the fact that the transfers featured several glaring differences from the construction company’s banking habits, the bank did not alert Patco. Bank personnel reasoned that the bank had verified that the user ID and password used for the ACH transactions were correct and that was all it needed to do. When the construction company became aware of the missing funds, the bank insisted that Patco would have to take the loss.

Though a U.S district court in Maine ruled in the bank’s favor, finding that although bank’s security procedures “were not optimal,” they were about as good as those employed by other banks, the appellate court disagreed. It ruled that the bank’s handling of the matter did not meet the UCC’s “commercially reasonable” standard and told the two parties to reach a settlement.

“This case says to banks and to commercial customers … that there are circumstances in which the bank cannot shift the risk of loss back to the customer, and we’re not going to assume that security procedures are commercially reasonable just because the bank has a system that they say is state of the art,” Dan Mitchell, the attorney who represented Patco, told Wired.

Were Twitter and Facebook Lax About Fixing a Security Flaw?

Internet security research firm Kaspersky Lab reported on 4 December that a vulnerability in the Twitter and Facebook features that allows users to post tweets and status updates via text could let anyone who knows a particular user's mobile phone number to tweet or update from that user's account and change the user's profile information. Twitter lets a user post messages and perform account updates by sending SMS commands from a mobile device that he or she has registered with the social media service. The problem: Spoofing a phone number is as easy as spoofing the sender information in an e-mail header. Twitter’s security is set up so that a PIN can be required, but the user has to turn that feature on in his or her account settings.

"In August I was doing research on SMS spoofing and tested against Twitter and Facebook, and found that they were vulnerable,” Jonathan Rudenberg, the researcher who discovered the flaw, told Kaspersky Lab. “I was about to publish what I found last week when a friend asked me whether I had tested Venmo, which I found was also vulnerable," says Rudenberg.

Why are we just finding out about this? According to Rudenberg, he alerted Twitter in August and the company asked him to keep quiet about his discovery until it could fix the problem. But several weeks later when he asked for an update on Twitter’s progress, the company, he says, failed to respond. “Initially Facebook did not respond to my report on their security vulnerability page,” he notes in a post about the vulnerability on his website. “I then emailed a friend who works at Facebook, who facilitated my contact with their security team,” he recalls. But nearly three months went by before he received confirmation that Facebook had resolved the issue. Rudenberg published the information as well as a timeline of his contacts with Twitter, Facebook, and Venmo on 3 December.